AppSec Blog

ASP.NET Padding Oracle Vulnerability

A very serious vulnerability in ASP.NET was revealed this past month that allows attackers to completely compromise ASP.NET Forms Authentication, among other things. When things like this happen, as developersit's important to see what lessons can be learned in order to improve the defensibility of our software. Source: 'Padding Oracle' Crypto Attack Affects Millions of … Continue reading ASP.NET Padding Oracle Vulnerability


WASC Web Hacking Incident Database Semi-Annual Report

In addition to being a SANS Certified Instructor, I also serve as the WASC Web Hacking Incident Database (WHID) project leaders. If you are unfamiliar, WHID is a project dedicated to maintaining a record of web application-related security incidents. WHID's purpose is to serve as a tool for raising awareness of web application security problems … Continue reading WASC Web Hacking Incident Database Semi-Annual Report


Some Thoughts About Passwords

Passwords don't work. Any password has a finite chance of being guessed. A good password is just less likely to be guessed then a simple password. But a strong password is not necessarily the one with many weird characters but the one that is least likely guessed. Continue reading Some Thoughts About Passwords


Seven Security (Mis)Configurations in Java web.xml Files

There are a lot of articles about configuring authentication and authorization in Java web.xml files. Instead of rehashing how to configure roles, protect web resources, and set up different types of authentication let's look at some of the most common security misconfigurations in Java web.xml files. 1) Custom Error Pages Not Configured By default Java … Continue reading Seven Security (Mis)Configurations in Java web.xml Files


Hacking, Reviewing, and Fixing a Real-World Open Source Web App

A few weeks ago I finished a big update to Secure Coding in Java/JEE (DEV541) which has a new day dedicated to hacking, reviewing, and fixing the code of a real-world open source web application written in Java. It's an introduction to security in the SDLC and is similar to the "Capture and Defend the … Continue reading Hacking, Reviewing, and Fixing a Real-World Open Source Web App